Any organization that conducts business – whether it’s private or public – is susceptible to risk. Corporations, governments and individuals can all be held liable for an infinite number of things. Having up-to-date procedures in place to track, mitigate, enforce, control and report on risks is of prime importance when fines and penalties for non-compliance can run into the billions.
Whether it’s a bank trying to prove compliance with Basel 239 or a business trying to ensure that its “conservative investment profile” is risking the right amount of money for the right gain, risk management has a place. There are many keywords mentioned in that paragraph and I’d like to give an example of how it might fit together in the case of a company that’s trying to take risks to make money, while at the same time ensuring that it’s not breaking any regulations and is ready for an audit.
At the “C” level, the corporate leaders would use value drivers to set up a series of strategies and goals for the company to fulfill its mission. Risks would then be attached to the strategies and goals. A risk might capture the consequences to the company if a goal isn’t met or if there is fraud in the lending department. A risk can also set appetite. For example, how much risk to take in order to meet a strategic objective. Next, controls would be attached to the risks. For any given risk, controls prevent the risk from happening, or mitigate the risk if it does happen. Finally, the business’s processes and activities would be tied to the strategies and goals. The activity “approve the loan” would be tied to the risk “accept no loans where the Loan-To-Value is over 75%.”
A well-designed process includes automated steps and the risk “accept no loans where the Loan-To-Value is over 75%” is an ideal target for automating. Automation can reduce the risk of human failure – as well as improve efficiencies and thereby reduce overall risk. A system that automatically rejects loans with a poor Loan-To-Value ratio before a human looks at them saves time and reduces risk. When creating risks, it’s important to capture whether they can be automated and whether they are currently automated or manual.
Another important aspect is being able to run reports on your enterprise model: which processes don’t have risk associated with them? Which risks don’t have any controls? Which strategies and goals aren’t tied to any processes? Which lines of business aren’t compliant? How much total operational risk is the company taking? When a company models its business in detail, it is invaluable to be able to run these types of reports.
One final thought on modeling: It’s important to have glossaries of terms so that everybody reads from the same book. As companies and governments grow, the various arms need to be sure they mean the same thing when they use a term like “liquidity”, “margin” or “credit default ratio.” When modeling a process, having a dictionary of terms available not only helps new employees, it helps ensure consistency across the business. Having people use the same term to mean different things is a risk in itself.